evought's Journal: 2006 FBI Cybercrime reports out

The FBI 2006 IC3 Internet Crime Report and The FBI/CSI 2006 Computer Crime and Security Survey (summary, must register for full report) are both out. The FBI/IC3 report deals with computer fraud reported in 2006, while the FBI/CSI survey (Computer Security Institute, not the TV show) is a survey of 616 security professionals in US organizations about attacks sustained, security precautions used, security budgets, losses due to attacks, and so forth in 2005.

According to the 2006 FBI Internet Crime Report the FBI Internet Crime Complaint Center processed 200,481 Internet-related crime complaints, a number which is down somewhat from 2005 but more than double 2003 figures. Complaints supported 86,279 criminal investigations at the federal, state, or local level. The complaints were varied, including auction fraud, non-delivery of goods, credit card fraud, computer intrusions, SPAM, and child pornography. Almost all involved financial loss, with a total loss of $198.4 million (up slightly from last year).

Among the survey findings is that the top four threats, viruses, unauthorized computer use, theft of equipment, and theft of intellectual property (in order) account for 74% of losses. Fifty-two percent of respondants reported unauthorized use of their systems in the twelve month period and 9% reported more than 10 such incidents. Total losses from the 313 respondents willing to provide figures were estimated at over $52 million. A disturbing trend is the number of respondents who claimed substantial loss from insiders.

Reported financial damages and number of successful attacks have noticeably decreased against previous years, but the survey is skewed toward companies with security policies in place (they have dedicated security personnel and have been in at least one CSI program) who have presumably been improving their defenses. Interestingly, 22% of those surveyed were in organizations with from 1-99 employees, so small to medium businesses were well covered. The survey notes that per employee expenditures on security are much higher in smaller organizations (by total revenue). The full report is an interesting read, especially their definitions of terms and assumptions.